pdf icon
Category Filter

Passcode

The passcode, being the first line of security for devices, organizations would want to set passcodes adhering to their security standards, ensuring certain aspects like the minimum length and complexity requirements. You can define the parameters for creating a passcode by configuring the Passcode profile. Setting up Passcode profile for a device, automatically sets the passcode for Apple Watch when paired with the device.

Profile Description

Profile Specification Description
Allow passcode to be set on the device (macOS 10.7 or later versions - Supervised devices only) Enabling this allows a passcode to be set on the device as per the associated Passcode profile configurations. If restricted, passcode cannot be set. Also, the existing passcode on the device is automatically cleared and users are prevented from setting a new passcode.
Settings below can be configured only if Allow passcode to be set on the device is enabled.
Passcode should contain Choosing Simple Value, ensures a simple passcode is set on the device. This can include repeating, ascending and descending character sequences such as 1111/aaaa etc. If Alphanumeric value is chosen, it is mandatory that the passcode contains alphanumeric value.
Note: If existing passcode meets the complexity requirements mentioned in the passcode profile, the user will not be prompted to change the passcode.
Minimum passcode length The minimum length for the passcode can be set here.
Minimum number of special characters The minimum number of special characters that the passcode should contain, can be set here.
Maximum idle time allowed before auto-lock Idle time refers to the time duration before the device screen locks automatically. The maximum idle time can be set as required. If the specified duration is not supported by the OS running on the device, the closest duration which is supported by the OS is selected automatically.
Maximum time to unlock device without passcode The time limit for users to unlock devices without using their passcodes, can be set here. If this has been set to five minutes for instance, users can unlock the device without a passcode, within five minutes after the device gets locked.
Maximum number of failed attempts Maximum number attempts to unlock the device, before it gets locked by Apple.
Restrict users from changing the passcode Enable this option to restrict users from modifying the passcode set on the device.
Reset passcode at next authentication If enabled, the user will be prompted to modify the password during the next login attempt after the profile is distributed. If disabled, the user will be notified to set a compliant passcode only when the user manually tries to modify the device passcode.
Account lockout duration Set a delay time to re-enable login when the user exceeds the specified number of failed login attempts. The user account will remain locked and the user will be allowed to enter passcode only after the specified duration.
Maximum passcode age Maximum passcode age refers to the number of days after which the passcode expires and a new one has to be set. This can range from 1 to 730 days.
Maximum number of passcodes to be maintained in history This can range from 1 to 50 passcodes.

Points to Remember

  • Account Lockout on Failed Attempts: If the maximum number of failed login attempts is reached, the user's account will be locked. Admins can unlock it using the Recover User Account action in MDM Inventory.
  • Revoke through agent
  • Passcode Expiry Notification: macOS will notify users about passcode expiration starting 30 days before the expiry date. Notifications will appear during login until the passcode is updated.
  • Revoke through agent
Jump To